The vulnerability affects 18 of the Finnish firms' products for Microsoft Windows and Linux operating systems. A hacker could create custom ZIP files to cause a buffer overflow, allowing attackers to execute malicious code on affected systems.
A malfunction also could occur in which RAR and ZIP archives are not properly scanned, allowing malware to go undetected, security-monitoring firm Secunia said in an advisory today. Secunia rated the vulnerability "highly critical."
No attacks have resulted from the vulnerability, F-Secure said.
Users of the latest F-Secure products, including F-Secure Internet Security and Anti-Virus 2004-2006, do not need to act, the company said. It automatically delivered a hotfix to those affected systems around 6:30 a.m. (EST) Thursday.
The company recommended that users of other products containing the vulnerabilities should install a patch or upgrade to an unaffected version.
F-Secure credited blogger Thierry Zoller with detecting the vulnerability.
On his website, Zoller, a security engineer from Luxembourg, credited F-Secure with making the software flaw public, saying other anti-virus vendors with similar vulnerabilities "fixed the bugs silently or put a small notice in a change log."